Hi Many thanks mate wil try this and let you know, is that why i get the error " clear text packet received with an encrytred connection" ? Thanks again
cisco4ng <[EMAIL PROTECTED]> wrote: The solution to this is very simple. If the other side is also using 172.x.x.x and you also use 172.x.x.x as well. What you want to do is natted your side to 192.x.x.x and put both 172.x.x.x and 192.x.x.x into your local encryption domain. Your remote encryption domain will be 10.x.x.x because that will be the IPs you tell the other side to use. The reverse is true on the other side. Once you've done that, go to the main Address translation tab of the security policy and manipulate as follow on your side: source dest service trans source trans dest trans service 172.x 10.x any 192.x original original 10.x 192.x any original 172.x original Does that help? cisco4ng Ray wrote: For them (with a source address of 172.20.x.x) to be able to access anything on your LAN, they have to be routable on your LAN. If the defaut route on your LAN points back to the FW-1 internal interface, that's all that's needed. However, if you are using precisely the same subnets as they are, yes, then it will cause a problem and it will not work. Ray >From: Peter Addy >Reply-To: Mailing list for discussion of Firewall-1 > >To: [email protected] >Subject: Re: [FW-1] Site 2 site VPN >Date: Sun, 11 Jun 2006 14:21:11 -0700 > >Hi Ray > > Many thanks, one point i should have mentioned is that the 172.x.x.x >address the customer is using is not routable over our lan, as i'm sure we >have also these 172.x.x.x addresses used, would this cause a problem? > > thanks again > >Ray wrote: > Hi Peter, > >Their encryption domain must be set up using the 172.20 address block. You >only use the 80.x address to establish the VPN. After the VPN is up, that >address does not exist as far as the site-to-site VPN traffic is concerned. > >You usually do not want any kind of NAT going on in the VPN tunnel itself. >You just need to make sure that their internal IP range is different than >yours and that your default internal network route ends up at the internal >interface of FW-1. If you do a "tracert 172.20.whatever" from your computer >and it ends up at FW-1, you should be OK. You may need to check all of your >subnets to assure their default route is the same. > >FW-1 will take care of the routing for you. > >HTH, > >Ray > > > >From: Peter Addy > >Reply-To: Mailing list for discussion of Firewall-1 > > > >To: [email protected] > >Subject: [FW-1] Site 2 site VPN > >Date: Sat, 10 Jun 2006 02:46:06 -0700 > > > >Hi > > > > Can someone please tell me if i was was to setup a vpn between an > >external site and our Checkpoint NG AI and the exteranl site was using an > >internal address range of 172.20..x.x, and their firewall gateway was > >80.x.x.x., could i use the gateway 80.x.x.x address for the encryption > >doamin for the external site? therefoe same IP for gateway and topoloy. > >Would this work? would i need any nat rules ? > > > > Or does if specifically need to be an address that is routable? > > > > Hoping to do this using the simpified mode > > > > Thanks for your help guys > > > > __________________________________________________ > >Do You Yahoo!? > >Tired of spam? Yahoo! Mail has the best spam protection around > >http://mail.yahoo.com > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > > __________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
